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IN THE CLAIMS: 

d the claims as follows: 

^^^^^^^^^^ 

^o^ofU.eindusttiaiprocess.m safetyP r 

execution than the standard program; and ^ SsMsiBilsg ^ 

^^^^^ 

Tiding the safety program at times wti orogGgn jsJS^^ 
memory noiamg w henMiafety_Erogranu 

s^id^djrogrMiU^- 25 

jrograni- 

2 (original) The safety controller of dam. 
oaaoperatedonbythesaferypro^. 

f ,» m 2ftn1herincledin g l/Ooirc«iByexchang>ng 
^ontputvalneswllhanexrenralmacluneand 

, , le r of claim 4 wherein the lock management program 
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6 (originaOThesafe.yoontronerofclaim.whereinmebckmanagemen.progr™ 

.oCceda.mes.ar.ofU.esafe^programbeforeun.ooking.hememorypomon. 

7 (currently amended) The saftfy confer of claim 1 wherein lock inaction is a 
setting of a register Una, may he read by .he 1 «»ro g rarn mdtcatmg me 
status of different memory portions as looked and unlocked. 

8. (original) The safety control of alarm 1 wherein the hardware lock operates so mat 
the locked portion of memory may be read. 

9 (original) The safety controller of claim 1 wherein me hardware ,ock operates so mat 
different portions of memory may be simultaneously locked and unlocked. 

,0 (original)^ safety controller of claim . wherein .he lock management program 
executes to keep the portion of memory holding the standard program unlocked. 

.ockingmememory portion a. the conclusion of the safety program. 

,2 (original) The safety controller of claim 1 wherein me portion of memory holdmg the 
safety program also holds a copy of se.ec.ed dam generated by the standard pro-am. 

13 ( previous 1 ypre S ented)Tbesafe t ycon tt ol.er of claim 1 tamer including a lock check 
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when a safety program is not executing and invoking an error 
the safety program is unlocked. 



is- 



if the memory portion holding 



14 (original) The safety controller of claim 1 further including: 

asecond processing unit having a processor executing instructions, and a memory 

adapted to hold a copy of the safety program; and 

asynchronizationprogram executable by the processing units to execute the safety 
program on both processing units and compare execution of the safety pro-ams and to enter a 
safety state when this execution differs. 

,5 (ongin^ThesafetyconwUerotolaimMwhereinthesecondprocessingum. 
provides a hardware lock preventing writing of a. lea, a portion of the memory adapted to ho.d a 
copy of the safety program as controllable by a lock instruction. 

,« (currently tended) A method of operating a safety controller having a processing 
uni, with a processor executing inspections, and a memory ho.ding instructions and data, .he 
"clinglitprovidtitg ahardwardoCtpreventingwritingofatleaaraportionofthememory 
as controllable by a. ock instruction, the method comprising me steps of 

(a) .oading a first portion of memory with a standard program provrdmg eontrol fo an 
iadustria, proeess and a second portion of memory wim a safety program providing contro of 

(b) executing the safety program and standard program a. different times and d*™ 
ffihali!2J a<e f y^^ the second 

ortionof memory a, „*er times sh^th^^^ 

BmrJB1 i^ob uaE ^^ 

program .. 
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17. (original) The method of claim 16 wherein the second portion of memory also holds 
data operated on by the safety program. 

18. (original) The method of claim 17 further wherein the safety controller includes I/O 
circuitry exchanging input/output values with an external machine and wherein the data includes 
input/output values. 

19. (original) The method of claim 16 further including the step of confirming the second 
portion of memory is locked at the start of the safety program before unlocking the second 
portion of memory and invoking an error if the second portion of the memory portion is not 
locked before the unlocking. 

20. (original) The method of claim 16 wherein the lock instruction is a setting of a 
register that may be read by a program indicating the status of different memory portions as 
locked and unlocked. 

2 1 . (original) The method of claim 1 6 wherein locked memory may be read but not 
written to. 

22. (original) The method of claim 16 wherein different portions of memory are 
simultaneously locked and unlocked. 

23. (original) The method of claim 16 wherein the first portion of memory remains 
unlocked. 

24. (original) The method of claim 16 further including the step of periodically checking 
the status of the second portion of memory when a safety control program is not executing and 
invoking an error if the memory portion is unlocked. 
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25. (original) The method of claim 16 further wherein the safety controller includes a 
second processing unit having a processor executing instructions, and a memory adapted to hold 
a copy of the safety program, and including the step of: executing the safety program on both 
processing units and comparing execution of the safety programs to enter a safety state when this 
execution differs. 

26. (currently amended) A method of operating a safety controller system comprising the 
steps of: 

(a) accepting program instructions from a user describing the logical combination of input 
sensor data to produce output control data; 

(b) collecting the program instructions into logical tasks; 

(c) identifying the task as to one of two levels of reliability, a first level being of higher 

reliability than the second level; 

(d) loading a task of the first level into a first portion of memory and a task of the second 

level into a second portion of memory; 

(e) executing the loaded tasks at different times and determining when the task of the first 
lgyel is to be run and hased upon th is determination, unlocking the first portion of memory at 
times when the task of the first level is executing tonm and locking the second portion of 
memory at other times wh*n the task of fr « first level is finished running and the task of the 
second level is to he mn so that t h e task of the second level when run nin g cannot corrupt the task 
of the first level. 
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